Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF cookie not set #146

Closed
VdeJong opened this issue Jun 12, 2019 · 4 comments
Closed

CSRF cookie not set #146

VdeJong opened this issue Jun 12, 2019 · 4 comments

Comments

@VdeJong
Copy link

VdeJong commented Jun 12, 2019

As soon as I try to login using Google SSO on my python/django application I am redirected by Google to the ACS url but it gives me a forbidden 403 error. It says csrf cookie not set.
@pitbulk
Copy link
Contributor

pitbulk commented Jun 12, 2019
edited

Are you using the @csrf_exempt decorator on the ACS endpoint?

See https://docs.djangoproject.com/en/2.2/ref/csrf/#utilities

@VdeJong
Copy link
Author

VdeJong commented Jun 12, 2019

@pitbulk no I'm not as I thought it is not safe to bypass the csrf. But are you saying that is necessary for this to work?

@pitbulk
Copy link
Contributor

pitbulk commented Jun 12, 2019
edited

Is safe to bypass csrf on that particular ACS endpoint.
Notice that the POST came from a 3rd party system that is not able to generate a valid CSRF value.
Also notice that the SAML standard has its own mechanism to validate the SAMLResponse generated by the 3rd party (IdP).

@VdeJong
Copy link
Author

VdeJong commented Jun 12, 2019

Alright.
Thanks for your clear explanation and fast reply.

@VdeJong VdeJong closed this as completed Jun 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pitbulk @VdeJong